Cloud Access Security Broker — CASB for SaaS Security Guide
In this tutorial, you'll learn about Cloud Access Security Broker. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.
A cloud access security broker sits between users and cloud applications to enforce security policies, discover shadow IT, detect anomalous behavior, and apply data loss prevention controls across SaaS, PaaS, and IaaS services.
What You Will Learn
How CASB solutions discover sanctioned and unsanctioned cloud apps, enforce access controls, protect data through DLP and encryption, and detect threats across multi-SaaS environments.
Why It Matters
Employees use hundreds of SaaS applications. IT cannot manage them manually. CASB tools provide visibility, control, and threat detection for every cloud app in use, whether IT knows about it or not.
Real-World Use
DodaTech uses Microsoft Defender for Cloud Apps to discover 47 unsanctioned SaaS applications used across the organization. The CASB blocks high-risk apps, enforces DLP policies that prevent uploading credit card numbers to personal cloud storage, and detects a compromised account logging in from an unusual location.
CASB Architecture
flowchart LR
Users[Corporate Users] --> CASB[Cloud Access Security Broker]
subgraph CASB Functions
Discovery[Shadow IT Discovery]
DLP[Data Loss Prevention]
Threat[Threat Detection]
Access[Access Control]
end
CASB --> Sanctioned[Sanctioned Apps\nOffice 365, Salesforce]
CASB --> Unsanctioned[Unsanctioned Apps\nBlock or Monitor]
Discovery --> Shadow[Visibility Dashboard]
DLP --> Alert[DLP Alerts]
Threat --> IR[Incident Response]
style CASB fill:#f90,color:#fff
Microsoft Defender for Cloud Apps
Defender for Cloud Apps provides CASB capabilities integrated with Microsoft 365, Azure AD, and third-party apps.
# Connect a cloud app to Defender for Cloud Apps
# This requires the Microsoft Graph API or portal configuration
# Create a session policy to monitor file uploads
# Use the Defender for Cloud Apps API
curl -X POST \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "Monitor sensitive data uploads",
"type": "session",
"severity": "medium",
"scope": {
"apps": ["Box", "Dropbox", "Google Drive"],
"users": ["all"]
},
"filters": {
"contentContains": ["credit_card", "ssn_pattern"]
},
"actions": ["monitor"]
}' \
"https://api.cloudappsecurity.com/api/v1/policies"
# Generate a Cloud Discovery report
curl -X GET \
-H "Authorization: Bearer $TOKEN" \
"https://api.cloudappsecurity.com/api/v1/discovery/reports"
# Output:
# {
# "totalApps": 342,
# "sanctionedApps": 47,
# "unsanctionedApps": 295,
# "highRiskApps": 23
# }
Netskope CASB
Netskope provides real-time inline CASB with DLP, threat protection, and behavioral analytics.
# Netskope API: List cloud apps by risk level
curl -X GET \
-H "Authorization: Bearer $NETSKOPE_TOKEN" \
"https://api.netskope.com/api/v2/apps?risk_level=high&limit=10"
# Output:
# {
# "apps": [
# {"name": "Unknown File Sharing", "risk": "high", "users": 12}, "# {"name": "Personal Storage"", "risk": "high", "users": 8}
# ]
# }
# Create a DLP rule that blocks credit card uploads
curl -X POST \
-H "Authorization: Bearer $NETSKOPE_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "Block Credit Cards",
"criteria": {"dataPattern": "credit_card"},
"action": "block",
"apps": ["all_personal_storage"]
}' \
"https://api.netskope.com/api/v2/policies/dlp"
Zscaler CASB
Zscaler's CASB integrates with its Cloud Security platform for inline traffic inspection across all ports and protocols.
# Zscaler API: Enable CASB for a specific app
curl -X PUT \
-H "Authorization: Bearer $ZSCALER_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"appName": "salesforce.com",
"casbPolicy": {
"dlpEnabled": true,
"threatProtection": true,
"activityControl": "monitor_all"
}
}' \
"https://api.zscaler.com/api/v1/casb/applications"
CASB Deployment Modes
CASB solutions operate in three modes: API-based (out-of-band access to app APIs), forward proxy (inline with user traffic), and reverse proxy (inline with app traffic). Most enterprises use a combination.
Common Mistakes
- No shadow IT discovery: Deploying CASB without enabling discovery misses the primary value. Discover all apps in use before enforcing policies.
- Blocking everything: Aggressive blocking creates workarounds. Start with monitoring, identify high-risk apps, then apply targeted blocks.
- Ignoring sanctioned app risks: Sanctioned apps like Office 365 also need DLP controls. CASB protects both sanctioned and unsanctioned apps.
- No user education: Users blocked from personal file sharing will find alternatives. Educate users on approved tools and data handling policies.
- CASB without SIEM integration: CASB generates valuable threat data. Integrate with your SIEM for correlation with other security signals.
Practice Questions
- What is the difference between API-based and inline CASB deployment?
- How does shadow IT discovery work in CASB solutions?
- What DLP capabilities do CASB tools provide for SaaS applications?
- Why should CASB alerts be integrated with a SIEM?
- How can CASB detect compromised accounts?
Challenge
Deploy a CASB Strategy for a company using Office 365, Salesforce, Slack, and Google Drive. Use Microsoft Defender for Cloud Apps to discover all cloud apps in use. Create a policy that blocks file uploads containing credit card numbers to unsanctioned file-sharing apps. Create a second policy that alerts when a user accesses a sanctioned app from an unusual location. Configure the CASB to integrate with Azure AD for identity context.
FAQ
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro